Improve security and privacy by updating HTTP Cache
Forgetting or misusing the Cache-Control header may negatively impact the security of your website and your users' privacy.
Security
Our latest news, updates, and stories about Security.
Monitor your web application with the Reporting API
Use the Reporting API to monitor security violations, deprecated API calls, and more.
Migrate to Reporting API v1
A new version of the Reporting API is available. It's more private and more likely to be supported across browsers.
Safe DOM manipulation with the Sanitizer API
The new Sanitizer API aims to build a robust processor for arbitrary strings to be safely inserted into a page.
Security headers quick reference
Learn more about headers that can keep your site safe and quickly look up the most important details.
What is FLoC?
FLoC enables ad selection without sharing the browsing behaviour of individual users.
Mitigate cross-site scripting (XSS) with a strict Content Security Policy (CSP)
How to deploy a CSP based on script nonces or hashes as a defense-in-depth against cross-site scripting.
A guide to enable cross-origin isolation
Cross-origin isolation enables a web page to use powerful features such as SharedArrayBuffer. This article explains how to enable cross-origin isolation on your website.
How to use HTTPS for local development
Sometimes, you need to run your local development site with HTTPS. Tools and tips to do this safely and quickly.
When to use HTTPS for local development
Using http://localhost for local development is fine most of the time, except in some special cases. This post explains when you need to run your local development site with HTTPS.
Payment and address form best practices
Maximize conversions by helping your users complete address and payment forms as quickly and easily as possible.
Sign-up form best practices
Help your users sign up, log in and manage their account details with a minimum of fuss.
SMS OTP form best practices
Learn how to optimize your SMS OTP form and improve user experience.
Schemeful Same-Site
The definition of "same-site" is evolving to include the URL scheme, so links between HTTP and HTTPS versions of a site now count as cross-site requests. Upgrade to HTTPS by default to avoid issues where possible or read on for details of what SameSite attribute values are needed.
Feedback wanted: CORS for private networks (RFC1918)
Mitigate the risks associated with unintentional exposure of devices and servers on a client’s internal network to the web at large.
Help users change passwords easily by adding a well-known URL for changing passwords
Redirect a request to `/.well-known/change-password` to the change-passwords URL
Debugging memory leaks in WebAssembly using Emscripten
While JavaScript is fairly forgiving in cleaning up after itself, static languages are definitely not…
Referer and Referrer-Policy best practices
Best practices to set your Referrer-Policy and use the referrer in incoming requests.
web.dev LIVE wrap-up
A summary of the major news and updates that were announced during our 3-day online community event, and a reminder about upcoming regional events.
Sign-in form best practices
Use cross-platform browser features to build sign-in forms that are secure, accessible and easy to use.